Cisco Cisco Firepower Management Center 4000 Guide Du Développeur
Version 5.3
Sourcefire 3D System eStreamer Integration Guide
630
Understanding Legacy Data Structures
Legacy Correlation Event Data Structures
Appendix B
Legacy Correlation Event Data Structures
The following topics describe other legacy correlation (compliance) data
structures:
•
•
•
Correlation Event for 4.8.0.2 - 4.9.1.x
Correlation events contain information about policy violations and are transmitted
when correlation policies are violated. The Defense Center uses the standard
message header with a record type of 97, followed by a correlation data block
with a type of 84. The source and destination user ID fields were added in the
4.7.0.2 - 4.8 version.
You can request that eStreamer transmit 4.8.0.2 - 4.9.1.x correlation events by
You can request that eStreamer transmit 4.8.0.2 - 4.9.1.x correlation events by
setting bit 22 in the Flags field of a request message. If you enable bit 23, an
extended event header is included in the record.
To request user record metadata along with the policy event data, you must
To request user record metadata along with the policy event data, you must
request policy event data using bit 22 and request version 4 metadata (bit 20). For
more information, see
String Block
Length
uint32
The number of bytes included in the name
String data block, including eight bytes for the
block type and header fields plus the number
of bytes in the Name field.
File Name or
Disposition
string
The descriptive name or disposition of the file.
If the file is clean, this value is
Clean
. If the
file’s disposition is unknown, the value is
Neutral
. If the file contains malware, the file
name is given.
File Event SHA Hash 5.1.1-5.2.x Data Block Fields (Continued)
F
IELD
D
ATA
T
YPE
D
ESCRIPTION